[Snort-users] writing rule with uricontent keyword
mkettler at ...4108...
Mon Feb 28 12:01:31 EST 2005
At 02:39 PM 2/28/2005, Jiju Menon wrote:
>I tried to get an alert with a test rule using uricontent:
>alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"yahoo.com";
>The rule seems not to detect a connection made to yahoo.com. Can
>anyone help me to get this rule working?
At casual glance, it looks OK...
As a sanity check, can you try a rule using "any any -> any 80" instead of
HOME_NET and EXTERNAL_NET?
You also might need http_inspect enabled for the uricontent keyword to work.
More information about the Snort-users